Part 2 - A Practical Case

A crash !

Soon
after I made Part 1 of this recovery guide available,
I received an e-mail from a gentleman who had suffered from what seemed
to be a major HD crash. He had totally lost access to his hard drive. Initially,
this drive had contained an OS/2 Boot Manager, a small DOS partition, and
two bigger HPFS partitions. An initial examination with OS/2's FDISK simply
shows non-significant garbage information. To complicate matters, it refuses
to write to the disk. DOS' FDISK shows incoherent data.

E-mail to the rescue

At this point, considering
the fact that the crash did not last long, I suspected that the data on
the hard drive was mostly intact. We decided to attempt an e-mail recovery.
(Mr Victim lives somewhere in the US and I live somewhere in Europe, shipping
the drive was a bit cumbersome).Note : the fact that the crash was short is significant. It suggests
that the data on the hard disk hasn't been corrupted extensively. Software
crashes are not able to wipe 850 MB in ten seconds. Think about it for
a while : this would require a 85 MB/sec data transfer rate !

A short software crash doesn't wipe an entire disk clean
!

Step One : a white page

Mr Victim
hits another problem when he realizes that the FDISKs he tries are useless.
They simply refuse to commit the reasonable changes he wishes to apply.
That is actually a good thing because FDISK might prove to be dangerous
in those circumstances : you can never be sure of what the different versions
of the utility will really write on the disk.

Never trust FDISK when partition information is wrong or non-existent
!

When I do this kind
of recovery, I prefer to start with a white page : Mr Victim will use
a boot disk and Norton Disk Editor to clean the MBR (the first physical
sector of the hard disk). Here is the relevant part of our e-mails, edited
for clarity. Here is what I first suggested
Quoting from our e-mails

Pierre 0 in the first
sector (FA 33) and then write zeroes (by changing to write mode in the
config of diskedit) up to, but not including the 55AA at the end of the
sector (those bytes are OK). Then boot as you wish from floppy and execute
fdisk /mbr or fdisk /newmbr in order to have a clean boot code, a valid
boot marker and an empty partition table.

Victim Alright. After much finger-crossing, I did as you said and zero'd
the first 510 bytes of the first sector using DISKEDIT. I then booted
from an OS/2 floppy and ran FDISK. Now OS/2's FDISK reports:

Partition Information

Name Status Access FS Mbyte
None :Pri/Log Freespace 812

That's quite a change
from the junk I used to see the past week. :-) Anyway, at this point,
I'd like to confirm again that I should boot OS/2 (from floppy) and run
FDISK /NEWMBR /DISK:1 (this is the correct format - I've checked)?

Yes, Mr Victim, this
is the correct format and we now have a nice empty page to work with.
Writing proper bootstrap code wasn't really necessary because we aimed
at the fourth partition on the drive, but it is a necessary step if you
want to restore a booting system.

Step Two : what do we want ?

Mr Victim
told me that the data he wants to recover was located on the 4th partition
of the hard-drive. This partition was formatted in HPFS. Relevant ? No !
We don't care about the format of the partition because we only need to
restore correct pointers to the partition location. Norton
DiskEditor will help us get a binary image of all possible partition/boot
sector on the hard disk. I need those images to build up a coherent mental
picture of the drive's structure. Unfortunately, the algorithm Norton DiskEditor
uses to find those sectors isn't very sophisticated. It only looks for the
55AA marker at the end of a sector. That's why Mr Victim sent me a few sectors
too many. However, some of those possible mbr/boot sectors were particularly
interesting because they fit quite nicely in the disk partitioning model
Mr Victim described.

1.
We know or can find out that the drive geometry is 32 Sides x 825 Cylinders
x 63 Sectors. There are several different ways to obtain this information,
but Disk Editor can provide the BIOS disk geometry under the Tools/Advanced
menu

2.We
visually confirm that Cylinder 194 - Side 1 - Sect 1 contains a valid
OS/2 boot sector. See below. The text messages will help a novice confirm
that it is a boot sector

Remember that the
target of our recovery is that HPFS partition. All we need to do now is
recreate a correct pointer in the MBR. We know that this pointer must
be an extended partition entry. If it was not the case, we would not have
a partition table at (Cyl 194 - Side 0 - Sect 1) but we would have a boot
sector.

We know that it ends
at least at (Cyl 824-31-63) because the partition it contains ends there.
We know that it ends at most at (Cyl 824-31-63) because this is the end
of the disk.

We calculate that
it contains 1272096 sectors. One way to calculate this is by adding the
size of the HPFS partition with the number of hidden sectors before that
partition.

We calculate the
total number of sectors on the disk : 32x825x63 = 1663200. (Note that
that Cyl goes from 0 to 824, Side from 0 to 31 and Sectors from 1 to 63).

We calculate the
offset of this partition (the distance from the MBR) to be the equal to
the offset last sector of the HD minus the total size of the partition.

1663200 - 1272096 = 391104

Therefore, with DiskEditor,
we create the following partition entry in the MBR (the real recovery
involved sending the HEX string in email for remote patching of the MBR)
and put the disk as secondary disk in an OS/2 system. The partition becomes
visible after the reboot and is immediately backed up.

"The rebuild extended partition entry"

State

Begin Head

Begin Cyl

Begin Sect

Type

End Head

End Cyl

End Sect

Relative Sect

Number of Sect

NO

0

194

1

EXTEND

31

824

63

391104

1272096

Questions ?

what happened to
the disk ?

what if the situation
is more complex ?

what if I need
to recover a complete system ?

you did a free
e-mail recovery for that guy, will you do that for me ? No, i've go
a life to earn..

what is LBA, how
does Win 95 OSR 2 deal with disk bigger than 2 GB, etc... ? READ THE
RELEVANT FAQ!!!